Module 2: Mitigate Threats Using Microsoft Defender for Endpoint
Module 1 introduced Defender for Endpoint as one component of the Defender XDR platform and taught you to investigate endpoint alerts within the unified incident queue. This module goes deeper. You will deploy the platform, onboard devices across Windows, macOS, and Linux, configure the preventive controls that stop attacks before they reach your investigation queue, set up the automated investigation engine that handles routine remediation, and manage the vulnerability posture that determines your attack surface.
By the end of this module, you will have a fully configured Defender for Endpoint deployment in your lab environment with onboarded devices, active ASR rules in audit mode, EDR telemetry flowing to Advanced Hunting, automated investigation configured with appropriate approval levels, and a vulnerability management dashboard that shows your lab environment’s security posture. Every configuration decision is explained with the operational reasoning that the SC-200 exam tests — not just how to enable a feature, but when to enable it, what the trade-offs are, and what breaks if you configure it wrong.
This module maps directly to the Microsoft Learn learning path “Mitigate threats using Microsoft Defender for Endpoint” and covers exam objectives across three SC-200 domains: environment configuration (Domain 1), protection and detection configuration (Domain 2), and investigation and response (Domain 3).
Complete Module 1 (Defender XDR) and Module 6 (KQL) before starting this module. Module 1 provides the investigation context — you understand what endpoint alerts look like in the incident queue and how to read device timelines. Module 6 provides the query skills — you can write KQL against DeviceProcessEvents, DeviceNetworkEvents, and DeviceFileEvents. This module teaches you to configure and manage the platform that produces that data.